Darkhotel Exploits Microsoft Zero-Day VBScript Flaw

Researchers have discovered that the Darkhotel APT is exploiting a recently-patched zero-day vulnerability impacting Microsoft VBScript.

Researchers at Trend Micro recently disclosed the flaw in Microsoft Visual Basic Scripting Engine (VBScript), an active scripting language developed by Microsoft modeled on Visual Basic.  The flaw is a remote code-execution vulnerability () existing in the way that the scripting engine handles objects in memory in Internet Explorer.

Microsoft patched the flaw during last week’s Patch Tuesday – but soon after, researchers with Trend Micro and Qihoo 360 both linked the attack with the Darkhotel APT gang.

“It can be seen from this incident that the [Darkhotel] attack gang has maintained a relatively high level of activity in recent years, and will even use the 0-day vulnerability for the purpose of attack,” Qihoo 360 researchers said in their recent post about the campaign.

CVE-2018-8373

Elliot Cao of Trend Micro Security Research (working with Trend Micro’s Zero Day Initiative) first discovered the flaw July 11. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited the vulnerability could gain the same user rights as the current user – so if the current user is logged on with administrative-user rights, an attacker who successfully exploited the vulnerability could take control of an affected system, according to Microsoft. Attackers could then install programs; view, change or delete data; or create new accounts with full user rights.

“It could result in remote code-execution and grants the same privileges as the logged-in user, including administrative rights,” said Chris Goettl, director of product management, security, for Ivanti, in an email.  “Because this vulnerability exists in IE 9, 10 and 11, it affects all Windows operating systems from Server 2008 to Windows 10.”

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website.

The flaw impacts the VBSCript engine in the latest versions of Windows as well as Internet Explorer versions IE 9 and 10. Microsoft recently disabled VBScript in IE 11, meaning that this version of Internet Explorer is not impacted.

Microsoft has given the flaw a “2” on the Exploitability Index for the latest software release, meaning exploitation is less likely; however, exploitation has been detected on older releases, including the latest Darkhotel effort.

Darkhotel

After discovering an exploit for CVE-2018-8373, Trend Micro researchers found that the sample used the same obfuscation technique as exploits for CVE-2018-8174, a VBScript engine remote code-execution vulnerability patched back in May.

“This is similar to CVE-2018-8174, which has been circulating since before May’s patch Tuesday, primarily in Asia… The same techniques were used by both exploits. Both were leveraging [use-after-frees] within VBScript Engine, were hitting similar functions within the engine, and had a similar method for running shellcode,” Dustin Childs, with Trend Micro’s ZDI, told Threatpost.

As the flaw was similar to the use-after-free (UAF) vulnerability in vbscript.dll, called Double Kill, which remained unpatched in the latest VBScript engine, researchers suspected that this exploit sample came from the same creator.  Researchers were also able to obtain the domain name used by the exploit, and found that it was the same one used in May for Darkhotel APT.

Darkhotel was first identified in 2014 by Kaspersky Lab researchers, who said the group had been active since at least 2007. The group was known for targeting diplomats and corporate executives via Wi-Fi networks at luxury hotels – and has since then continued accessing zero-day vulnerabilities and exploits.

Exploit

The original exploit was heavily obfuscated, but researchers were able to demonstrate a proof of concept (PoC) to explain how the flaw could be exploited.

“Based on our analysis, this vulnerability can be steadily exploited,” Cao said in the analysis of the exploit. “Moreover, since it is the second Visual Basic engine exploit found in the wild this year, it is not far-fetched to expect other vulnerability findings in the VB engine in the future.”

There are three parts to the PoC exploit used to trigger use-after-free memory corruption, thus enabling attackers to run shellcode on the system: Using the vulnerability to modify a two-dimensional array’s structure’s length (to 0x0FFFFFFF), implementing read/write primitives and faking CONTEXT structure to execute shellcode.

Childs told us that, while not widespread at this time, the exploit “certainly has the chance of broader use since it’s a reliable attack.”

He added, “For this to succeed, the attacker must convince the user to click a link or open a malicious file. This is usually done through spear phishing, but it could be links sent through messenger apps, too.”

Cao recommended that users update their systems as soon as possible: “As a first line of defense, we recommend applying the latest security patches once they’re available to prevent exploits,” he said.